It was found that Spring MVC processed user-provided XML with JAXB, in combination with a StAX XMLInputFactory, without disabling external entity resolution. A remote attacker could use this flaw to conduct XML External Entity (XXE) attacks on web sites, and read files in the context of the user running the application server. This flaw affects Spring Framework 3.2.x before 3.2.4 and 4.0.0.M1 through 4.0.0.M2.
Upstream Patch: https://jira.springsource.org/secure/attachment/21319/Jaxb2CollectionHttpMessageConverter.patch Statement: Not affected. Spring MVC as shipped in various Red Hat products does not include the vulnerable org.springframework.http.converter.xml.Jaxb2CollectionHttpMessageConverter class.